How do you develop a safer web browser?

1. stay on top of newly discovered vulnerabilities
2. maintain an open disclosure policy and well organized bug tracking system
3. notify end users of updates
4. make updates transparent and painless

Mozilla Firefox fails on step 4.

Vulnerable users are more likely to update their software when the process is automated and easy. Every complicated dialogue box that you present a user reduces the likelihood that they will complete the update.

Internet Explorer can be updated (cumulatively no less) in an average download of 600K and usually one reboot. In contrast Firefox displays a helpful little red arrow in the corner of your browser window until you update. Once the user clicks on this subtle little icon, they begin the long process of downloading the update. Once that step completes they are greeted with the fact they downloaded a whole new copy of their browser and now have to reinstall the whole thing. This gets a little tricky on multi-user systems, not to mention the novice users whole get freaked out when presented with file system install paths. As a final little insult, Firefox leaves its installation executable lying on your desktop.

Firefox's awkward update process is going to leave a large number of people running vulnerable copies of Firefox 1.0

Mozilla should reward its loyal fan base with an upgrade procedure they can brag about instead of having to make excuses for. The Mozilla development team places an admirable amount of effort on security, now they just need to start delivering it to the people they are trying to protect.